Mobile Operating System Comparison

From Kicksecure
Jump to navigation Jump to search

Comparison of Mobile Phones, Operating Systems that focus on either/and/or security, privacy, anonymity, source-available, Freedom Software, de-googled, un-googled, custom operating system (flash) allowed.

Introduction[edit]

This mobile phone related projects focused on either/and/or:

  • security,
  • privacy,
  • anonymity,
  • source-available,
  • Freedom Software,
  • de-googled, un-googled,
  • custom firmware (flashing) allowed,
  • alternative mobile hardware projects,
  • alternative mobile operating systems, and
  • also other popular or frequently discussed operating systems might be added.

All statements are either false or incomplete.archive.org

General Mobile Devices Security[edit]

See also Mobile Devices Backdoors in Most Phones Tablets Etc and Data Harvesting by Most Phones.

Software Projects[edit]

iPhone and Android[edit]

Most iPhone / Android devices [1] "Libre Android" [2] Linux Desktop Distributions Kicksecure Development Goals
Upgrades do not require vendor No Yes Yes Yes
User freedom to replace operating system No Yes Yes Yes
Administrator capabilities (root) not refused No Yes Yes Yes
Custom operating system (bootloader unlock) not refused No Yes Yes Yes
No trouble or void device warranty from software changes (rooting or bootloader unlock) No [3] No [4] Yes Yes
No user freedom restrictions No [5] Yes Yes Yes
No backdoors included No [6] Yes Yes Yes
No spyware included in operating system No [7] Yes Yes Yes
No culture of freemium applications that spy on users in appstores No [8] Yes Yes Yes
Culture of Freedom Software in appstores No Yes Yes Yes
Freedom Software No [9] Yes Yes Yes
Compromised application cannot access data of other applications Yes [10] Yes [10] No Yes
Malware on a compromised system cannot easily gain root Yes [11] Yes [11] No [12] Yes
Reasonable resistance against system wide rootkit Yes [13] Yes [13] No Yes
Verified Boot Yes Yes No Yes
Hardened Kernelarchive.org Yes Yes some Yes
Full System MAC Policyarchive.org Yes Yes No Yes
Internal storage can reasonably easily be removed and mounted elsewhere for the purpose of data recovery or hunting malware / rootkits. No [14] No [4] Yes [15] Yes [16]
Internal storage can reasonably easily be decrypted once transferred to a different device if password is known. No [17] No [18] Yes Yes [19]
Can reasonably easily boot from external hard drive, ignoring internal harddrive for purpose of data recovery or hunting malware / rootkits. No No [4] Yes Yes [16]
Can reasonably easily create full data backup. No [20] Yes Yes Yes [16]


Can reasonably easily create full data backup of any app when device is rooted with Titanium Backup or similar No [21] Yes Yes Yes [16]
Applications cannot refuse data backup (for purpose of malware, spyware analysis or backup and restore). No [22] Yes Yes [23] Yes [16]
No culture of users can ask device (code) for permission and device (code) will decide to grant or refuse the request. No Yes Yes [23] Yes [16]
No culture of applications refusing to run if device is rooted. No [24] Yes Yes Yes [16]
No culture of applications refusing to run if using a custom operating system (custom ROM). No [25] Yes Yes Yes [16]
User (privacy) settings are respected. No [26] Yes Yes Yes [16]
WiFi off indicator means that WiFi is really off. No [27] Yes Yes Yes [16]
Bluetooth off indicator means that Bluetooth is really off. No [28] Yes Yes Yes [16]
Prevention of targeted malicious upgrades. [29] No [30] ? [31] ? [32] Yes [33]
Vendors do not sometimes introduce mitigations that introduce attack surface. No [34] Yes Yes Yes [16]
The GNU Project does not state: "Apple's Operating Systems Are Malwarearchive.org" and "Google's Software is Malwarearchive.org". No Yes Yes Yes [16]

Quote More than a billion hopelessly vulnerable Android gizmos in the wild that no longer receive security updates – researcharchive.org. The operating system of these devices:

  • Do not receive security upgrades from the vendor.
  • Third parties (such as users or the modding community) cannot provide (security) upgrades either due to locked bootloaders, which cannot be unlocked due to vendor decision and due to unavailability of a security bug which could unlock the bootloader.
  • Even if bootloaders can be unlocked there might not be an adequate operating system upgrades available from third parties, such as the modding community. Either due to unpopularity of the devices among modding developers and/or due to technical challenges.

Ability to upgrade (security fixes) devices; replace operating system; bootloader freedom vs bootloader non-freedom:

  • iPhones and some Android devices have locked boot loaders that cannot be unlocked. This restricts user freedom and makes replacing the operating system impossible without a verified boot bypass exploit. In case the vendor deprecated security support for the device, the only choices users realistically have is to keep using an insecure device, or to buy a device which still has security support. Similarly, locked bootloaders also prevent gaining administrator (root) access.
  • Some Android devices do allow unlocking the bootloader but not with custom verified boot keys, causing a decrease in security.
  • Some Android devices (such as the Nexus or Pixel devices) support full verified boot with custom keys that can be used with alternative operating systems.

In conclusion, when using iPhone/Android devices that still receive security updates, the iPhone/Android approach provides strong protection against malware, meaning those platforms are impacted much less than Windows or Linux desktops. [10] Despite the many downsides (Mobile Devices Backdoors in Most Phones Tablets Etc, Data Harvesting by Most Phones, ...), the security model of popular mobile operating systems often affords better protection when attempting to prevent any malicious and unapproved party from establishing a foothold in their ecosystem. In the process, the user's and the security community's ability to audit and control what their devices are actually doing is severely diminished. Due to a Conflict of Interest this comes at the expense of transferring power from the user to the developers, user freedom restrictions, Tyrant Security, War on General Purpose Computing.

Android Based[edit]

Google Android versus Android AOSP[edit]

Android AOSP (Android Open Source Project) is the Open-Source version of the Android operating system. It includes the core components of the operating system, such as the kernel, libraries, and basic applications. Android AOSP is freely available for anyone to download, modify, and use.

Google Android, on the other hand, is the version of Android that is developed and maintained by Google. It includes additional features and services developed by Google, such as Google Play, Google Maps, and Google Assistant. Google Android is the version of Android that is pre-installed on most Android devices and is the version that most people are familiar with.

Stock firmware from vendors such as Samsung is based on Google Android, but with additional customizations made by the vendor. These customizations can include changes to the user interface, additional features or apps, and modifications to the Android framework itself. Most if not all vendors install additional bloatware, that is software which is unwanted by the user and that often cannot be uninstalled.

Alternative ROMs, such as LineageOS, are based on Android AOSP but with additional modifications made by the ROM developer. These modifications can include additional features, performance optimizations, and changes to the user interface. Alternative ROMs are often popular among users who want more control over their device or who prefer a more stock Android experience without vendor customizations or bloatware.

Google Android[edit]

About Google Android[edit]

This applies to almost all users of Google Android. [35]

The European Commission: Antitrust: Commission fines Google €4.34 billion for illegal practices regarding Android mobile devices to strengthen dominance of Google's search enginearchive.org

Google Android SafetyNet[edit]

"SafetyNet": Android rats out the user. It's informing applications if the user made modifications to the device that are unapproved by Google. The list of unapproved modifications currently includes the absence of Google Play Services (if when installed, lead to massive data harvesting), alternative operating systems and device rooting.

Google Android Espionage Data Harvesting[edit]

There is massive espionage data harvesting on Google Android. No surprise due to:

  • Weak privacy policies: The Google privacy policyarchive.org applies to all Google services and ecosystems. This includes the right to collect information such as: [36]
    • Personal information: Name, email address, and telephone number.
    • Device-specific information: Hardware model, operating system, unique device identifiers, mobile network information.
    • Log information: Search queries, telephony log information (phone number, calling-party number, forwarding numbers, time and date of calls, duration of calls, SMS routing information and types of calls), IP address, browser-specific cookies, and device event information (crashes, system activity, hardware settings, browser type, browser language, the date and time of your request and referral URL).
    • Location information: IP address, GPS, and other sensors providing information on nearby services such as Wi-Fi access points and cell towers. It was recently discoveredarchive.org Google continues to track users even after they opt-out of Location History. [37]
    • Unique application numbers: Information on application types and version numbers.
    • Local storage: Storing personal information locally with local browser storage (like HTML5) and application data caches.

Android based operating systems based on Android AOSP that do not have Google Play Services (or possibly other Google apps) installed are exempt.

Android Generally[edit]

Android Anti-Features[edit]

There is a number of anti-features in both, Google Android as well as most (if not all) Android AOSP based operating systems.

What is an anti-feature?

Functionality originally intended as a feature, but perceived as a bug, annoyance, or infringement of freedoms by some or even most users.

  • Apps can prevent the creation of screenshots.
  • The owner of the device has no full read/write access to all the files on the device.
    • App developers can prevent their app's data from being backed up by setting allowbackup=false.
    • Android prioritizes the wishes of the application developer over the wishes of the user. Android allows apps to set restrictions on how these apps can be used, even if those restrictions may be inconvenient or unwanted by the user.
    • Users are prevented from accessing the device's host file (/etc/hosts), which can be used to block advertisements.
  • Android can leak information to apps about whether the user is using location spoofing, which can be used to hide the user's actual location. [38]
  • There is no built-in boot menu that allows users to boot from USB or SD card for the purpose of data backup, troubleshooting, malware / spyware analysis, system modification, or experimentation with different operating systems.
    • There is also no mechanism to get a fully copy of all data from the devices's internal storage for the same purposes.
  • See also these mobile devices restrictions.

These are anti-features from the user's point of view. These can be considered features from application developers or operating system developer viewpoint.

Android Developer Potential Conflict of Interest[edit]

Developers offering Android based operating systems for download have a potential Conflict of Interest. If Android based projects would implement technical ways [39] that most laymen users can use to gain root and/or to keep control over the software running on their devices, then the project's chances to be ever get a highly profitable hardware producer partnership would be severely diminished.

iPhone[edit]

CalyxOS[edit]

Phones need a lot of proprietary files to boot and for all hardware to work, we have automated scripts to download and set them up.

GrapheneOS[edit]

  • Hardened version of AOSP, with a strong focus on security and privacy. Currently only supported on Pixel devices.
  • Lead developer is Daniel Micay (who previously worked on CopperheadOS).
  • Common ancestry with CopperheadOS.
  • https://grapheneos.orgarchive.org
  • https://github.com/GrapheneOSarchive.org
  • https://www.reddit.com/r/GrapheneOS/archive.org
  • Comes with numerous anti-features. Some of the same anti-features as Google Android Anti-Features.
    • For more information on GrapheneOS anti-features and potentially a way to disable a few of these, see resign-android-image.
    • These anti-features might also apply numerous other AOSP based operating systems such as CalyxOS, /e/OS, LineageOS, and CopperheadOS.
  • Argues that allowing users to gain root (administrative rights / superuser) access would inevitably break the security model and that there is no conceivable solution that can uphold both user security and freedom.
    • Quote GrapheneOS lead developerarchive.org [40]:
      • It doesn't sound like you want GrapheneOS since you don't care about the core security goals. I recommend using something else.

      • GrapheneOS is not aimed at power users or hobbyists aiming to tinker with their devices more than they can via the stock OS or AOSP.

    • https://archive.ph/2sYurarchive.org
    • Related: verified boot, ideological considerations
    • Rooting is a very popular feature request generally for Android. [41]
    • Rooting is required to circumvent a large number of Anti-Features.
    • It can be argued that without root rights, the software is not really Free Software in spirit. This is elaborated in chapter General Threats to User Freedom chapter Administrative Rights.
    • Also numerous other AOSP based operating systems refuse to grant users the ability to gain root access.
      • GrapheneOS and other AOSP-based operating systems are not obligated to implement the frequently requested feature that allows users a secure and selective method to gain root access. Many casual users seek this to maintain control over the software on their devices. Alternatively, these operating systems could offer an API or a similar mechanism, enabling third-party developers to create applications that provide this functionality.
  • Sometimes when they use the word "security" in connection with GrapheneOS, they do not mean what is normally understand normally mean by that word: protecting your machine from things you do not want. They mean upholding the much praised "Android Security Model", which includes providing guarantees to app developers that the operating system will behave in a certain way at the expense of user freedom (anti-features).
    • As a user of Hacker News pointed out [42]:

      Security is very important. Why? In order to not be exploited by strangers (criminals, spys...) against my interests. If security enables exploitation against my interests (by whomever, be it the OS vendor, the movie industry, or the government), it is not the security I want.

  • Supports DRM (Digital Restrictions Managementarchive.org) / walled garden / anti-freedom / Google SafetyNet style hardware attestation where developers can configure their applications to only run on devices on certified firmware which are a technologies that are part of the War on General Purpose Computing. [43]
    • Quote GrapheneOS lead developerarchive.org:

      Users are free to avoid apps using attestation to implement DRM / anti-cheat.

      • A Google search with term site:https://grapheneos.orgarchive.org "free software" which means search for mentions of free software on grapheneos.org homepage at time of writing shows no results. (Only mentions in its discussion forum.) GrapheneOS does not seems to have a strong commitment towards these ideals.
      • site:https://grapheneos.orgarchive.org "open source" does have search results. Quotearchive.org:

        GrapheneOS is an open sourcearchive.org project with an open development process.

      • In hindsight, these differences in opinionsarchive.org might be unsurprising. Android forks are based on AOSP which stands for Android Open Source Project. It doesn't stand for Android Free(dom) Software Project.
      • Its LICENSE.txtarchive.org is the MIT Licensearchive.org. It's not using the GPLarchive.org version 3archive.org which attempts to prevent threats to user freedom such as Tivoizationarchive.org (locked bootloaders which prevent users from replacing the operating system and from gaining administrative rights ("rooting").
        • GrapheneOS lead developer Daniel Micay on GPLv3archive.org:

          GrapheneOS can't use GPLv3 for Vanadium because it's incompatible with the WebView being loaded into other applications and GPLv3 has restrictions which would result in GrapheneOS being less free, by disallowing valid usage of GrapheneOS to make devices with an immutable root of trust. We want GrapheneOS to be friendly to people making downstream projects/products based on it and therefore stick to permissive licenses and GPLv2.

          • In layman's terms, this stance allows hardware vendors who use GrapheneOS to lock down their bootloaders. This can restrict users from replacing the operating system, gaining root access, or removing unwanted software such as spyware, bloatware, thereby affecting the user's ability to prevent mistreatment.
          • The common counterargument to these concerns is "users are free to not purchase such devices." This is being addressed here: do not buy.
      • It should be pointed out that AOSP itself does not come with a mechanism for users to gain administrative rights.
      • This again might also be the case for numerous other AOSP based operating systems.
  • Full verified boot which would be great if the key would be held by users and encouraged through a first start process or similar instead of held by the developer.
  • On the upside, GrapheneOS provides improved user controls. See some of its user-facing features: network permission toggle, sensor permission toggle, storage Scopes, GPS control, sandboxed Play Services (which runs Play Services unprivileged and force it to play by the permission system).
Category Description
Freedom Software? See this.archive.org
Does not prioritizes power of developers over users. No
Prioritizes power of users. No
Opposes the War on General Purpose Computing. No
Allows users to disable network and sensor (accelerometer, etc.) access for apps. Yes
Implements various changes to harden libc, the Linux kernel, and other OS components. Yes
Includes Vanadium, a hardened and mostly de-Googled version of Chromium. Yes
Making efforts to allow users to gain root in a secure way. No
Supports devices that come with hardware kill switches. No
Supporting Google financially not required in order to purchase a supported device. No

Ironically, in order to to purchase a device compatible with GrapheneOS, one has to buy a supported Google Pixel device and therefore support with the purchase one of the biggest anti privacy, most data harvesting and user freedom prohibiting companies in the world, Google.

Why is the GrapheneOS chapter one of the largest chapters on this wiki page? The author of this wiki page points out:

Since GrapheneOS has the top or very high search results for search engine search terms such as “mobile phone security operating system” as well as in my experience seems to be most frequently brought up in online discussions around topics of Android and security you could argue that it’s the most popular in that niche. GrapheneOS is also what caught most of my interest in this area.

See the sourcearchive.org for further elaboration.

As a Hacker news user is opinionating:

TLDR: Rather than encouraging app developers to abandon the plainly anti-FOSS/anti-user technology that is SafetyNet hardware attestation, GrapheneOS instead encourages developers to continue locking down their apps such that they only work on specific operating systems, but also kindly asks them to add the official releases of GrapheneOS to the list of "approved" Android builds (in addition to proprietary "Google-approved" Android, of course). The above link is a handy implementation guide for developers that GrapheneOS has published to their website and actively encourages its users to share with developers.

SafetyNet hardware attestation is an anti-FOSS/anti-user technology that has no legitimate use case. It allows apps to arbitrarily refuse to run on "un-approved" versions of Android. Apps have absolutely no business policing the operating systems that users are allowed to run on their device. If this technology is adopted by a large number of applications that people rely upon, we are left with no option other than to use an "approved" OS. We cannot fork GrapheneOS if the project goes in a certain direction that we disagree with, because then we would be unable to run the apps we need.

Strcat's response to anyone ideologically opposed to this is "don't use GrapheneOS":

The link the user is talking about is Attestation compatibility guidearchive.org.

Quote GrapheneOS lead developer:

If you have an ideological issue with GrapheneOS providing working attestation and preserving the app security model, i.e. allowing apps can perform checks that cannot be faked without an exploit, my recommendation is using something else. If you consider this capability to make it a "walled garden" then GrapheneOS is happily a "walled garden" allowing you install any software you want just like the stock OS.

As a Hacker news user is opinionating:

Tragically GrapheneOS doesn't tend to view any Google decisions through a critical lens, which would allow them to see through some of Google's "security features" for what they really are: user-control features implemented solely to ensure that most people do not switch away from the stock OS and continue to consume Google services, handing over their user data in the process.

resign-android-image[edit]

resign-android-imagearchive.org is a list of GrapheneOS anti-features and a script to disable some of the anti-features.

[...] supports applying modifications, such as having ADB root and being able to backup all applications, that violate the Android security model that GrapheneOS wishes to uphold, not because they make the device less secure for you, but because they follow your own wishes over providing guarantees to app developers that the OS will behave in a certain way. [...]

[...] With resign-android-image, you can take back control of your Android device, [...]

With this tool, you are no longer at the mercy of your OS' upstream developers, and can decide for yourself how you want to configure your device without having to wipe /data and reinstall on every change, all without compromising the security [...]

[..] removing a few antifeatures included in Android upstream [...]

Not having full arbitrary read/write access to the state of your own device state is generally considered unacceptable and the sign of a device that is not truly yours and completely under your control, but rather owned and controlled by an entity who dictates how your device should behave; unfortunately that's the way it is with upstream GrapheneOS and stock OS, but fortunately, you can remedy the situation with the --adb-root option. [...]

/e/[edit]

LineageOS[edit]

  • This is only a quick mention. Accuracy of this wiki chapter might be low.
  • Previously called Cyanogenmod
  • No google services installed by default (good for privacy and security).
  • Google services can be optionally installed as an add-on
  • Hardware: after market firmware for loads of devices, including Fairphone and OnePlus
  • https://lineageos.orgarchive.org

Replicant[edit]

Plasma Mobile[edit]

  • This is only a quick mention. Accuracy of this wiki chapter might be low.
  • By KDE
  • Not security focused at all at this stage?
  • Builds based on Kubuntu and Archlinux
  • Hardware: Google Nexus 5, 5X
  • https://plasma-mobile.orgarchive.org

PostmarketOS[edit]

  • This is only a quick mention. Accuracy of this wiki chapter might be low.
  • Very early stage of development
  • Linux distro (based on Alpine Linux) on the phone
  • Hardware: many devices, including Google Nexus models and Fairphone 2
  • https://postmarketos.orgarchive.org

Ubuntu Touch[edit]

Hardware Projects[edit]

Librem 5[edit]

PinePhone[edit]

CopperheadOS[edit]

Fairphone[edit]

  • This is only a quick mention. Accuracy of this wiki chapter might be low.
  • https://www.fairphone.comarchive.org
  • Hardware: Now the third iteration Fairphone 3 is available and is a testament to the success of the prior models.
  • Built for easy hardware repairs and upgrades to combat planned obsolescence .

OnePlus[edit]

  • This is only a quick mention. Accuracy of this wiki chapter might be low.
  • Not all Freedom Software by default but software modifications permitted
    • Hardware that grants users the "right to flash"
    • (Root and custom ROM allowed without voiding warranty)
  • Hardware: OnePlus 3, 3T, 5, 5T (current models)
  • https://www.oneplus.com/archive.org

Openmoko[edit]

Neo900[edit]

  • This is only a quick mention. Accuracy of this wiki chapter might be low.
  • Dead
  • Reanimated
  • Open platform (OpenPhoenux GTA04) in tradition of Openmoko
  • Hardware: Neo900
  • https://neo900.org/archive.org

PiTalk[edit]

Volla Phone[edit]

Link Mentions[edit]

Hardware Kill Switches[edit]

No phone has a speaker yet that can be disabled but this is just as important as speakers can be turned into microphones. That is because a speaker is technically quite similar to microphones. See SPEAKE(a)R: Turn Speakers to Microphones for Fun and Profitarchive.org.

Next best option is to have a phone that at least has a removable battery to make it's sometimes really powered off and not secretly spying.

Definitions[edit]

source-available[edit]

source-available - better term required

  • can be modified and redistributed
  • source available to public without registration
  • a legal condition preventing the usual blessing of capitalized Open Source, Free Software as blessed by stewards OSI, FSF or Debian DSFG licensesarchive.org

Quick Mentions[edit]

A quick mention on this wiki page means that only a minimal effort has been made reviewing the respective project. The accuracy of the wiki chapter might be low. Quick mentions are added because at first sight these seemed like noteworthy, interesting projects. A quick mention can be considered a watchlist that might be worth looking into further in the future. A more extensive review might be contributed at a later time.

Bloatware[edit]

Bloatware is a term used to describe pre-installed software or applications on a device that are not essential to the device's core functionality or the user's needs. These applications may be installed by the device manufacturer, the operating system provider, or a third-party developer, and can take up valuable storage space, memory, and processing power on the device.

Bloatware is often considered undesirable by users because it can slow down the device, take up storage space that could be used for other purposes, and may even collect personal data or serve advertisements. However, some manufacturers and developers may include bloatware on devices as a way to generate additional revenue or promote their own services or products.

In summary, bloatware is unnecessary software that comes pre-installed on a device, and it can be a source of frustration for users who want to have more control over what is on their device and how it performs.

Related[edit]

Forum Discussion[edit]

https://forums.whonix.org/t/overview-of-mobile-projects-that-focus-on-either-and-or-security-privacy-anonymity-source-available-freedom-software/4557archive.org

See Also[edit]

Footnotes[edit]

  1. Most iPhone / Android phones that are sold by mobile carriers or manufacturers have locked bootloaders. These phones are often packaged with spyware installed by default, which cannot be removed. There may be rare exceptions to this rule, hence "most" and not "all". These exceptions are not the point which shall be made in this comparison. See the "Libre Android" column for what is theoretically possible.
  2. There is no "Libre Android" at time of writing. It's only a concept to illustrate a point. There is no "perfect" Android distribution. GrapheneOS has verified boot but root access is refused in default buildsarchive.org. Replicant allows root access, but no references were found that Replicant makes use of verified boot yet. It's not relevant to pick any specific Android distribution for the sake of making the point "iPhone and Android Level Security for Linux Desktop Distributions" no specific Android distribution was chosen for this compassion. A "perfect" Android distribution checking all "green yes" is possible in theory. It doesn't exist due to policy decisions. (GrapheneOS vs root in default builds vs device selection / features.) There are no technical reasons for non-existence. See also this Overview of Mobile Projects, that focus on either/and/or security, privacy, anonymity, source-available, Freedom Software..
  3. https://www.howtogeek.com/240417/does-rooting-or-unlocking-void-your-android-phones-warranty/archive.org
  4. 4.0 4.1 4.2 Same issue as Most iPhone / Android devices since inheriting the same hardware limitations.
  5. Mobile Devices Restrictions
  6. Mobile Devices Backdoors in Most Phones Tablets Etc
  7. Data Harvesting by Most Phones
  8. Data Harvesting by Most Apps
  9. Comes with a lot proprietary software installed by default.
  10. 10.0 10.1 10.2 That would require an exploit. In comparison, a compromised application on the Linux desktop running under user has full access to all information which that user has access to, including all files, keystrokes and so on. The exception is when mandatory access control (MAC)archive.org is in use and successfully confines that application.
  11. 11.0 11.1 Occasionally there are exploits that allow applications to gain root, but as time passes more of these vulnerabilities are being fixed.
  12. On the Linux desktop the process of Preventing malware from Sniffing the Root Password is cumbersome and unpopular. Therefore any compromised application on the Linux desktop could lead to root compromise. This in turn might compromise the bootloader, kernel, or even hardware. It is difficult to detect malware, remove a rootkitarchive.org and indicators of compromise are rare.
  13. 13.0 13.1 Through verified boot.
  14. This is a hardware limitation. Internal storage is a chip and soldered. Removal is an operation which most repair shops are incapable of performing. Even if removed, it's not easy to find a device which can read the device without booting from it. Perhaps it could be booted from in another device, but that would be beside the point. If the operating system is unbootable due to software issues, it will also be unbootable elsewhere. If malware analysis is the goal, then no code from the suspected infected storage device should ever be executed.
    Even worse if full disk encryption was used as per next table entry.
    Hence, not "reasonably easily" possible.

    Quote How to fully backup non-rooted devices?archive.org:

    For 4.0+ devices there is a solution called "adb backup".

    Note: This only works for apps that do not disallow backup! Apps that disallow backup are simply ignored when creating a backup using this way.

    Information from Copy full disk image from Android to computerarchive.org does not work for non-rooted / non-rootable devices.

    Taking a non-rooted Android device with GrapheneOS, contributed by a user.

    $ adb devices
    List of devices attached
    xxxxxxxxxxx    device
    
    $ adb root
    adbd cannot run as root in production builds
    
    $ adb shell
    walleye:/ $ ls
    ls: ./init.zygote64_32.rc: Permission denied
    ls: ./init.rc: Permission denied
    ls: ./init.usb.rc: Permission denied
    ls: ./ueventd.rc: Permission denied
    ls: ./init.zygote32.rc: Permission denied
    ls: ./init: Permission denied
    ls: ./cache: Permission denied
    ls: ./init.environ.rc: Permission denied
    ls: ./persist: Permission denied
    ls: ./postinstall: Permission denied
    ls: ./init.usb.configfs.rc: Permission denied
    ls: ./metadata: Permission denied
    acct apex bin bugreports charger config d data debug_ramdisk default.prop dev dsp etc firmware lost+found mnt odm oem proc product product_services res sbin sdcard storage sys system vendor
    1|walleye:/ $ sudo ls
    /system/bin/sh: sudo: inaccessible or not found
    127|walleye:/ $ su
    /system/bin/sh: su: inaccessible or not found
    127|walleye:/ $
    
    walleye:/dev/block $ ls -lah
    total 0
    drwxr-xr-x  6 root   root       2.4K 1970-07-03 11:40 .
    drwxr-xr-x 18 root   root       3.9K 2020-05-26 15:41 ..
    lrwxrwxrwx  1 root   root         37 1970-07-03 11:40 bootdevice -> /dev/block/platform/soc/1da4000.ufshc
    drwxr-xr-x  2 root   root       1.6K 1970-07-03 11:40 by-name
    brw-------  1 root   root   252,   0 1970-07-03 11:40 dm-0
    brw-------  1 root   root   252,   1 1970-07-03 11:40 dm-1
    brw-------  1 root   root     7,   0 1970-07-03 11:40 loop0
    brw-------  1 root   root     7,   8 1970-07-03 11:40 loop1
    brw-------  1 root   root     7,  80 1970-07-03 11:40 loop10
    brw-------  1 root   root     7,  88 1970-07-03 11:40 loop11
    brw-------  1 root   root     7,  96 1970-07-03 11:40 loop12
    brw-------  1 root   root     7, 104 1970-07-03 11:40 loop13
    brw-------  1 root   root     7, 112 1970-07-03 11:40 loop14
    brw-------  1 root   root     7, 120 1970-07-03 11:40 loop15
    brw-------  1 root   root     7,  16 1970-07-03 11:40 loop2
    brw-------  1 root   root     7,  24 1970-07-03 11:40 loop3
    brw-------  1 root   root     7,  32 1970-07-03 11:40 loop4
    brw-------  1 root   root     7,  40 1970-07-03 11:40 loop5
    brw-------  1 root   root     7,  48 1970-07-03 11:40 loop6
    brw-------  1 root   root     7,  56 1970-07-03 11:40 loop7
    brw-------  1 root   root     7,  64 1970-07-03 11:40 loop8
    brw-------  1 root   root     7,  72 1970-07-03 11:40 loop9
    drwxr-xr-x  2 root   root         80 1970-07-03 11:40 mapper
    drwxr-xr-x  3 root   root         60 1970-07-03 11:40 platform
    brw-------  1 root   root     1,   0 1970-07-03 11:40 ram0
    brw-------  1 root   root     1,   1 1970-07-03 11:40 ram1
    brw-------  1 root   root     1,  10 1970-07-03 11:40 ram10
    brw-------  1 root   root     1,  11 1970-07-03 11:40 ram11
    brw-------  1 root   root     1,  12 1970-07-03 11:40 ram12
    brw-------  1 root   root     1,  13 1970-07-03 11:40 ram13
    brw-------  1 root   root     1,  14 1970-07-03 11:40 ram14
    brw-------  1 root   root     1,  15 1970-07-03 11:40 ram15
    brw-------  1 root   root     1,   2 1970-07-03 11:40 ram2
    brw-------  1 root   root     1,   3 1970-07-03 11:40 ram3
    brw-------  1 root   root     1,   4 1970-07-03 11:40 ram4
    brw-------  1 root   root     1,   5 1970-07-03 11:40 ram5
    brw-------  1 root   root     1,   6 1970-07-03 11:40 ram6
    brw-------  1 root   root     1,   7 1970-07-03 11:40 ram7
    brw-------  1 root   root     1,   8 1970-07-03 11:40 ram8
    brw-------  1 root   root     1,   9 1970-07-03 11:40 ram9
    brw-------  1 root   root     8,   0 1970-07-03 11:40 sda
    brw-------  1 root   root     8,   1 1970-07-03 11:40 sda1
    brw-------  1 root   root     8,  10 1970-07-03 11:40 sda10
    brw-------  1 root   root     8,  11 1970-07-03 11:40 sda11
    brw-------  1 root   root     8,  12 1970-07-03 11:40 sda12
    brw-------  1 root   root     8,  13 1970-07-03 11:40 sda13
    brw-------  1 root   root     8,  14 1970-07-03 11:40 sda14
    brw-------  1 root   root     8,  15 1970-07-03 11:40 sda15
    brw-------  1 root   root   259,   0 1970-07-03 11:40 sda16
    brw-------  1 root   root   259,   1 1970-07-03 11:40 sda17
    brw-------  1 root   root   259,   2 1970-07-03 11:40 sda18
    brw-------  1 root   root   259,   3 1970-07-03 11:40 sda19
    brw-------  1 root   root     8,   2 1970-07-03 11:40 sda2
    brw-------  1 root   root   259,   4 1970-07-03 11:40 sda20
    brw-------  1 root   root   259,   5 1970-07-03 11:40 sda21
    brw-------  1 root   root   259,   6 1970-07-03 11:40 sda22
    brw-------  1 root   root   259,   7 1970-07-03 11:40 sda23
    brw-------  1 root   root   259,   8 1970-07-03 11:40 sda24
    brw-------  1 root   root   259,   9 1970-07-03 11:40 sda25
    brw-------  1 root   root   259,  10 1970-07-03 11:40 sda26
    brw-------  1 root   root   259,  11 1970-07-03 11:40 sda27
    brw-------  1 root   root   259,  12 1970-07-03 11:40 sda28
    brw-------  1 root   root   259,  13 1970-07-03 11:40 sda29
    brw-------  1 root   root     8,   3 1970-07-03 11:40 sda3
    brw-------  1 root   root   259,  14 1970-07-03 11:40 sda30
    brw-------  1 root   root   259,  15 1970-07-03 11:40 sda31
    brw-------  1 root   root   259,  16 1970-07-03 11:40 sda32
    brw-------  1 root   root   259,  17 1970-07-03 11:40 sda33
    brw-------  1 root   root   259,  18 1970-07-03 11:40 sda34
    brw-------  1 root   root   259,  19 1970-07-03 11:40 sda35
    brw-------  1 root   root   259,  20 1970-07-03 11:40 sda36
    brw-------  1 root   root   259,  21 1970-07-03 11:40 sda37
    brw-------  1 root   root   259,  22 1970-07-03 11:40 sda38
    brw-------  1 root   root   259,  23 1970-07-03 11:40 sda39
    brw-------  1 root   root     8,   4 1970-07-03 11:40 sda4
    brw-------  1 root   root   259,  24 1970-07-03 11:40 sda40
    brw-------  1 root   root   259,  25 1970-07-03 11:40 sda41
    brw-------  1 root   root   259,  26 1970-07-03 11:40 sda42
    brw-------  1 root   root   259,  27 1970-07-03 11:40 sda43
    brw-------  1 root   root   259,  28 1970-07-03 11:40 sda44
    brw-------  1 root   root   259,  29 1970-07-03 11:40 sda45
    brw-------  1 root   root     8,   5 1970-07-03 11:40 sda5
    brw-------  1 root   root     8,   6 1970-07-03 11:40 sda6
    brw-------  1 root   root     8,   7 1970-07-03 11:40 sda7
    brw-------  1 root   root     8,   8 1970-07-03 11:40 sda8
    brw-------  1 root   root     8,   9 1970-07-03 11:40 sda9
    brw-------  1 root   root     8,  16 1970-07-03 11:40 sdb
    brw-------  1 root   root     8,  17 1970-07-03 11:40 sdb1
    brw-------  1 root   root     8,  32 1970-07-03 11:40 sdc
    brw-------  1 root   root     8,  33 1970-07-03 11:40 sdc1
    brw-------  1 root   root     8,  48 1970-07-03 11:40 sdd
    brw-------  1 root   root     8,  49 2020-05-26 15:41 sdd1
    brw-------  1 root   root     8,  58 1970-07-03 11:40 sdd10
    brw-------  1 root   root     8,  59 1970-07-03 11:40 sdd11
    brw-------  1 root   root     8,  60 1970-07-03 11:40 sdd12
    brw-------  1 root   root     8,  61 1970-07-03 11:40 sdd13
    brw-------  1 root   root     8,  62 1970-07-03 11:40 sdd14
    brw-------  1 root   root     8,  63 2020-05-26 15:42 sdd15
    brw-------  1 root   root   259,  30 2020-05-26 15:41 sdd16
    brw-------  1 root   root   259,  31 2020-05-26 15:41 sdd17
    brw-------  1 root   root   259,  32 1970-07-03 11:40 sdd18
    brw-------  1 root   root     8,  50 1970-07-03 11:40 sdd2
    brw-------  1 root   root     8,  51 1970-07-03 11:40 sdd3
    brw-rw----  1 system system   8,  52 2020-05-26 15:48 sdd4
    brw-------  1 root   root     8,  53 1970-07-03 11:40 sdd5
    brw-------  1 root   root     8,  54 1970-07-03 11:40 sdd6
    brw-------  1 root   root     8,  55 1970-07-03 11:40 sdd7
    brw-------  1 root   root     8,  56 1970-07-03 11:40 sdd8
    brw-------  1 root   root     8,  57 1970-07-03 11:40 sdd9
    brw-------  1 root   root     8,  64 1970-07-03 11:40 sde
    brw-------  1 root   root     8,  65 1970-07-03 11:40 sde1
    brw-------  1 root   root     8,  66 1970-07-03 11:40 sde2
    brw-------  1 root   root     8,  67 1970-07-03 11:40 sde3
    brw-------  1 root   root     8,  68 1970-07-03 11:40 sde4
    brw-------  1 root   root     8,  69 1970-07-03 11:40 sde5
    brw-------  1 root   root     8,  80 1970-07-03 11:40 sdf
    brw-------  1 root   root     8,  81 1970-07-03 11:40 sdf1
    brw-------  1 root   root     8,  82 1970-07-03 11:40 sdf2
    brw-------  1 root   root     8,  83 1970-07-03 11:40 sdf3
    brw-------  1 root   root     8,  84 1970-07-03 11:40 sdf4
    brw-------  1 root   root     8,  85 1970-07-03 11:40 sdf5
    drwx------  2 root   root         40 1970-07-03 11:40 vold
    brw-------  1 root   root   253,   0 2020-05-26 15:41 zram0
    
    $ adb shell
    walleye:/ $ mount
    /dev/root on / type ext4 (ro,seclabel,nodev,relatime)
    tmpfs on /dev type tmpfs (rw,seclabel,nosuid,relatime,size=1851548k,nr_inodes=462887,mode=755)
    devpts on /dev/pts type devpts (rw,seclabel,nosuid,noexec,relatime,mode=600)
    proc on /proc type proc (rw,nosuid,nodev,noexec,relatime,gid=3009,hidepid=2)
    sysfs on /sys type sysfs (rw,seclabel,nosuid,nodev,noexec,relatime)
    selinuxfs on /sys/fs/selinux type selinuxfs (rw,relatime)
    tmpfs on /mnt type tmpfs (rw,seclabel,nosuid,nodev,noexec,relatime,size=1851548k,nr_inodes=462887,mode=755,gid=1000)
    tmpfs on /apex type tmpfs (rw,seclabel,nosuid,nodev,noexec,relatime,size=1851548k,nr_inodes=462887,mode=755)
    /dev/block/sdd3 on /persist type ext4 (rw,seclabel,nosuid,nodev,noatime,data=ordered)
    /dev/block/dm-1 on /vendor type ext4 (ro,seclabel,relatime)
    none on /dev/cpuctl type cgroup (rw,nosuid,nodev,noexec,relatime,cpu)
    none on /acct type cgroup (rw,nosuid,nodev,noexec,relatime,cpuacct)
    none on /dev/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset,noprefix,release_agent=/sbin/cpuset_release_agent)
    none on /dev/stune type cgroup (rw,nosuid,nodev,noexec,relatime,schedtune)
    /dev/root on /apex/com.android.tzdata@290000000 type ext4 (ro,seclabel,relatime)
    /dev/root on /apex/com.android.tzdata type ext4 (ro,seclabel,relatime)
    /dev/root on /apex/com.android.runtime@1 type ext4 (ro,seclabel,relatime)
    /dev/root on /apex/com.android.runtime type ext4 (ro,seclabel,relatime)
    debugfs on /sys/kernel/debug type debugfs (rw,seclabel,relatime)
    none on /config type configfs (rw,nosuid,nodev,noexec,relatime)
    tracefs on /sys/kernel/debug/tracing type tracefs (rw,seclabel,relatime)
    /dev/block/sde4 on /metadata type ext4 (rw,sync,seclabel,nosuid,nodev,noatime,discard,data=ordered)
    /dev/block/sda28 on /firmware type vfat (ro,context=u:object_r:firmware_file:s0,relatime,uid=1000,gid=1000,fmask=0337,dmask=0227,codepage=437,iocharset=iso8859-1,shortname=lower,errors=remount-ro)
    tmpfs on /storage type tmpfs (rw,seclabel,nosuid,nodev,noexec,relatime,size=1851548k,nr_inodes=462887,mode=755,gid=1000)
    /dev/block/sda45 on /data type ext4 (rw,seclabel,nosuid,nodev,noatime,noauto_da_alloc,resgid=1065,errors=panic,stripe=4096,data=ordered)
    /dev/root on /apex/com.android.conscrypt@290000000 type ext4 (ro,seclabel,nodev,relatime)
    /dev/root on /apex/com.android.conscrypt type ext4 (ro,seclabel,nodev,relatime)
    /dev/root on /apex/com.android.media@290000000 type ext4 (ro,seclabel,nodev,relatime)
    /dev/root on /apex/com.android.media type ext4 (ro,seclabel,nodev,relatime)
    /dev/root on /apex/com.android.media.swcodec@290000000 type ext4 (ro,seclabel,nodev,relatime)
    /dev/root on /apex/com.android.media.swcodec type ext4 (ro,seclabel,nodev,relatime)
    /dev/root on /apex/com.android.resolv@290000000 type ext4 (ro,seclabel,nodev,relatime)
    /dev/root on /apex/com.android.resolv type ext4 (ro,seclabel,nodev,relatime)
    adb on /dev/usb-ffs/adb type functionfs (rw,relatime)
    mtp on /dev/usb-ffs/mtp type functionfs (rw,relatime)
    ptp on /dev/usb-ffs/ptp type functionfs (rw,relatime)
    /data/media on /mnt/runtime/default/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=1015,multiuser,mask=6,derive_gid,default_normal)
    /data/media on /storage/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=1015,multiuser,mask=6,derive_gid,default_normal)
    /data/media on /mnt/runtime/read/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=9997,multiuser,mask=23,derive_gid,default_normal)
    /data/media on /mnt/runtime/write/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=9997,multiuser,mask=7,derive_gid,default_normal)
    /data/media on /mnt/runtime/full/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=9997,multiuser,mask=7,derive_gid,default_normal)
    pstore on /sys/fs/pstore type pstore (rw,seclabel,relatime)
    
  15. Computer (non-mobile) hardware is much more flexible. Storage devices can be removed from a computer, then added to another computer as a secondary disk. When booting from an installation assumed to be uncompromised (by [the same] malware), a search for malware can be performed on the other disk without executing any code, reducing risk of infection for the booted disk. This kind of procedure can be performed reasonably easily by most repair shops, and even non-technical people can do this without the need for soldering.
  16. 16.00 16.01 16.02 16.03 16.04 16.05 16.06 16.07 16.08 16.09 16.10 16.11 16.12 Same as Linux Desktop Distributions.
  17. The masterkey is not stored on the internal storage. It is stored in hardware.archive.org which is even harder to extract.

    Note: "masterkey" here does not mean "backdoor". This is normal for most Linux desktop distributions offering full disk encryption. The masterkey is stored somewhere. When entering the password at boot with Linux desktop full disk encryption enabled, what gets decrypted is not actually the disk but the masterkey. This is then used to decrypt the disk, which is also called luks header. The advantage of the masterkey is that changing the disk encryption password is possible without having to re-encrypt the whole disk. (cryptsetup-reencrypt).

    It is perhaps possible to dump the masterkey if the phone can still be started and can be rooted. There are no instructions how to do so. Hence, not "reasonably easily".
  18. Same issue as Most iPhone / Android devices. Limitation of hardware, not software.
  19. Same as Linux Desktop Distributions.
  20. See next point below.
  21. Signalarchive.org is such an example. People expected Titanium Backuparchive.org to be able to backup the Signal app data but lost dataarchive.org. Extra steps are required for a Signal backup.archive.org (Insturctions untested by author of this wiki page.)
  22. Quote https://developer.android.com/guide/topics/manifest/application-element#allowbackuparchive.org android:allowBackup

    Whether to allow the application to participate in the backup and restore infrastructure. If this attribute is set to false, no backup or restore of the application will ever be performed, even by a full-system backup that would otherwise cause all application data to be saved via adb. The default value of this attribute is true.

  23. 23.0 23.1 If credentials can be provided (full disk encryption password if used), (super) root will have full access.
  24. How to prevent applications from discovering my phone as being Rootedarchive.org
  25. How-To Geek: SafetyNet Explained: Why Android Pay and Other Apps Don’t Work on Rooted Devicesarchive.org
  26. AP Exclusive: Google tracks your movements, like it or notarchive.org

    Google wants to know where you go so badly that it records your movements even when you explicitly tell it not to.

    An Associated Press investigation found that many Google services on Android devices and iPhones store your location data even if you’ve used a privacy setting that says it will prevent Google from doing so.

    Computer-science researchers at Princeton confirmed these findings at the AP’s request.

  27. How it works, according to Google, is that the Android Location Services periodically checks on your location using GPS, Cell-ID, and Wi-Fi to locate your device. When it does this, your Android phone will send back publicly broadcast Wi-Fi access points' Service set identifier (SSID) and Media Access Control (MAC) data. Again, this isn't just how Google does it; it's how everyone does it. It's Industry practice for location database vendors.

  28. Google can still use Bluetooth to track your Android phone when Bluetooth is turned offarchive.org
  29. As in singling out specific users. Shipping malicious upgrades to select users only.
  30. Most android phones have a feature which allows to login on google play web/desktop version using the same e-mail address which is used on the phone. Usually the same gmail address. When clicking install for an app using the google play web/desktop version, the user will be prompter (in case of having registred multiple devices) on which device the app should be installed. After pressing install, the app will be installed on the phone. This videoarchive.org demonstrates this. It is therefore established that the google website can result in remote app installation on the phone. It follows that a coerced or compromised google play website could do the same. Since the gmail based web login can be linked to the same gmail address on the phone, pushing targeted malicious upgrades is esspecially easy. Even if a phone was always fully torified (all traffic routed over Tor) the gmail identifier could still be used. While Tor can anonymize the connection, it does not (and should not) attempt to modify anything inside the traffic (the gmail identifier).
  31. Probably same as Linux Desktop Distributions.
  32. Linux distributions usually do not require an e-mail based login to receive upgrades. Users can still be singled out by IP addresses unless users opt-in for using something such as apt-transport-tor which is not the default.
  33. All upgrades are downloaded over Tor. There is no way for the server to ship legit upgrade packages to most users while singling out specific users for targeted attacks.
  34. Some Android vendors introduce mitigations that introduce attack surfacearchive.org.
  35. Except to the few users using after market firmwares that resist flashing google play services. https://www.androidpit.com/android-without-google-appsarchive.org
  36. Google's insistence on real-name policies for Gmail and Youtube accounts, along with strict measures to prevent signing up via Tor, have significantly contributed to user profiling. Google has also dropped its ban on personally-identifiable information in advertisement services.
  37. Meaning Google applications continue to store time-stamped location data without user input.
  38. https://github.com/chriswoope/resign-android-image#locationismock-neuteringarchive.org Location.isMock]
  39. Or leave an "API" or similar mechanism which third-party developers could develop an application to provide the functionality.
  40. https://archive.ph/94YVQarchive.org
  41. search term examples:
    • Quote https://grapheneos.org/usage#sandboxed-play-servicesarchive.org

      The hardware attestation feature is part of the Android Open Source Project and is fully supported by GrapheneOS. SafetyNet attestation chooses to use it to enforce using Google certified operating systems. However, app developers can use it directly and permit other properly signed operating systems upholding the security model. GrapheneOS has a detailed guidearchive.org for app developers on how to support GrapheneOS with the hardware attestation API. Direct use of the hardware attestation API provides much higher assurance than using SafetyNet so these apps have nothing to lose by using a more meaningful API and supporting a more secure OS.

    • https://grapheneos.org/articles/attestation-compatibility-guidearchive.org
  42. https://github.com/chriswoope/resign-android-image/issues/10archive.org
  43. https://wiki.pine64.org/index.php?title=PinePhone_Software_Releases#GloDroidarchive.org
  44. https://forum.pine64.org/showthread.php?tid=17626archive.org
  45. https://copperhead.co/android/downloadsarchive.org

    CopperheadOS source code for all devices are made available to the public under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license, along with some portions that are GPL2 (kernel) or GPL3 (F-Droid).

    Devices purchased from our store come with a per-device commercial license for the official builds.

    Contact sales@copperhead.co for obtaining commercial licensing for the source code, bulk sales of devices or custom development work. Funding the public release of CopperheadOS sources under more permissive licensing is also an option.


Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!